The Importance of Automating Enterprise Security Response

According to a report by Kaspersky, in 2017 the average cost of a data breach in North America was $1.3 million for large enterprises and $117,000 for small and medium sized businesses. With global spending on cybersecurity products and services predicted to exceed $1 trillion over five years, from 2017 to 2021 according to Cybersecurity Ventures, it’s safe to say that security is a primary concern for organizations today.

Recent incidents like the WannaCry ransomware attack, the marketing database breach at Dun & Bradstreet, Yahoo’s official confirmation of its 2013 data breach etc. are only tip of the iceberg. As IT leaders are compelled to disrupt and innovate continuously, chances of vulnerabilities and risks continue to escalate. And let’s not forget the emerging complexities arising due to the usage of IoT enabled connected devices, rise of cloud adoption, hybrid IT, expansion of enterprise mobility, BYOD policies, and influx of numerous fragmented SaaS applications within the enterprise IT framework.

The World Economic Forum rates a large-scale breach of cybersecurity as one of the five most serious risks facing the world today. Before delving into the need for automation your enterprise security response, let’s take a quick look at common vulnerabilities and threats.

Vulnerabilities

Careless or unaware employees

Outdated information security controls or architecture

Unauthorized access

Threats

Phishing

Malware

Cyber attacks to steal financial information

Cyber attacks to steal IP or data

Internal attacks

a) Too many tools and a lot of security noise
If you are IT or security personnel, you may be using several protection, detection and visibility products in your organization. An average enterprise today uses 75 security tools (Source: CSOOnline). This results in redundancy and the need to hire even more security experts to manage these products.

These tools are often siloed and generate significant amounts of data and events, overwhelming both IT and security teams who have to manually categorize and prioritize incidents based on their risk profile. Although organizations are investing heavily in prevention, they still lack the capability to contain breaches.

According to a 2017 survey by Ponemon Institute, it took respondents 191 days to spot a breach caused by a malicious attacker, and 66 days to contain it. Another survey by eSecurity Planet reveals that 98 percent of North American IT professionals admitted having challenges with their incident response capabilities.

Let’s dive deeper into common reasons that typically cause delays in responses or at times, lack of a security response altogether.

b) Analysts for Everything

As seen in the image above, a typical security incident investigation process has 10 stages. Starting from prioritization to categorization to looking for file hashes, every stage has an analyst assigned to it. As a result, there is a lot of manual and time consuming work involved which subsequently also increases the occurrence of human error. Moreover, your team’s productivity also decreases as they are not able to devote their time to business critical work that does require human attention.

c) Threat is strategic but response is tacticalTraditionally, security responses are high touch and reactive by nature. They are mostly managed through phone or email conversations and tracked using spreadsheets. Typically there is a lack of documentation or knowledge base leading to a reliance on historical knowledge. In many organizations, IT and security teams work in silos, even if they may be seated right next to each other, resulting in flawed coordination during the investigation process. This lack of robust structured workflow and coordination among teams significantly affects response times.

All of these factors combined not only increase your time to response, but they also stop you from nipping the threat in the bud by being able to prevent an attack from happening in the first place and reducing overall impact.

For example: Despite all these precautions “Joe” from marketing accidentally clicks on a malicious link and reports the incident via email or call. From there, the Incident Response Team follows the playbook.

As evidenced by the workflow above, there are many manual processes in which each step slows down your team’s ability to resolve the threat efficiently.

A powerful security response strategy isn’t just about identification, protection and confinement. It also involves automating those specific processes within your response workflow that don’t specifically require human intervention.

Rapid remediation is a critical part of a successful cybersecurity protection program and organizations need to have strong response mechanisms in place. Think about it, with the constant disruptive technology landscape, new threats are bound to emerge and hackers will find ways to circumvent your defense systems.

Given the current environment, it is safe to assume that attacks are likely to happen and hackers will always be a step ahead. You can familiarize yourself with existing attacks, targeted assaults or emerging methods (we don’t know what we don’t know).

But it’s not the occurrence of the attack that needs to be your immediate concern, it is:

How well prepared and equipped you are to face it

How fast you can detect, prioritize, assign, remediate and review security events

How efficient your IT and security teams are at coordinating internally and with one another

Hiring more security analysts can be deemed as one option, but this will significantly increase your operational costs and resources. Moreover if your security event response doesn’t follow a blueprint, bringing more people for managing new tools or processes will add to the existing chaos. Add to that, there is also a serious shortage of cybersecurity skills in the market. In a recent survey by ESG, it was found that 51% of IT and cybersecurity professionals claimed their organization had a problematic shortage of cybersecurity skills.

Free up your IT and security personnel from mundane tasks and allocate them to work on strategic initiatives

Enhance operational efficiencies and cut costs

Improve market reputation of your organization

Blend human involvement and automation

If you have a definitive blueprint for orchestrating security event response, check which areas can be automated and which ones need an analyst’s brain. This doesn’t mean you use a machine to orchestrate the entire activity. Take a bite sized approach. Shortlist those processes which are:

Right for automation

Risk free

Most time consuming activities for your teams

Perhaps a machine can take over identifying and extracting IPs or running repetitious processes.. Analyze the before and after impact of automating each process to the average response time.

Achieving the perfect blend of human involvement and automation in your response framework is tough, but with the right automation and orchestration platforms, it is now achievable. In fact, according to Gartner, by 2019, 40% of large enterprises will require specialized, automated tools to meet regulatory obligations in the event of serious information security incidents.

Apply Digital Transformation to Security Operations

Business-centric digital transformation principles can be applied to Security Operations as well. Some of them can include:

Transforming operational capabilities

Drivingrapid collaboration and innovation

Digitizing for agility and efficiency

We believe for an organization to achieve these principles, you need to:

Modernize operational capabilities

Automate collaboration and innovation

Orchestrate digitization

Again, in order to support such transformation, using the right automation and orchestration platform is advisable.

You may consider ServiceNow Security Operations, which enables you to connect your existing security tools to prioritize and swiftly respond to security events, based on their potential impact on your business. It brings together the power of the NOW platform to drive transformation.

Different features of ServiceNow Security Operations

Security Incident Response

Integrates with 3rd party threat detection systems and SIEMs

Single platform to respond to security events

Vulnerability Response

Prioritizes vulnerable items based on business criticality

Respond to the most important vulnerabilities

Threat Intelligence

Understand the depth and potential resolutions of security incidents

Differentiate between potential and actual threat

Workflow

Structurize your incident response process

Route work to the right people

Automation & Orchestration

Speed up portions of the workflow for a faster security response

Deep IT integration

Enhance the coordination between your IT and security teams throughout the investigation process

INRY works extensively with organizations looking to automate and orchestrate their security operations. Our capability planning expertise enables you to develop business objectives, select IT solutions, optimize IT investments and ensure that they are aligned with your business objectives.

As a ServiceNow Gold partner, we can also help in implementing the solution for your organization.